Whitelisting

Overview

Application whitelisting is the complete opposite to the blacklisting approach used in traditional anti-viruses. Traditional anti-viruses use signature databases, which can be considered as a blacklist of program code not wanted on a machine. If the application contains code included in anti-virus signature base, this application will be blacklisted, and the anti-virus will consider it as malicious application and block it. Traditional anti-virus lets everything run except applications it knows are bad. As the number of new malicious programs increases exponentially, the signature blacklists can’t be updated quickly enough, so new malicious applications are able to run.

Application whitelisting is different. If traditional antivirus is blacklist, then solutions designed to prevent any unapproved code from running – application whitelisting – is where the future of antivirus lies. Compared to application whitelisting, the biggest problem with traditional anti-virus approach is the impossibility of keeping up with new malware quickly enough to avoid infection. Another problem with traditional antivirus is that the ever-increasing size of those blacklists means an ever-increasing risk of false-positives. If code for legitimate software is added to the signature base by mistake, the antivirus can crash the system. Ironically, this has happened to at least one antivirus company that also offers application whitelisting solutions.

Application whitelisting solutions

Application whitelisting is a much more effective approach to the prevention of malware infections. The main idea behind application whitelisting is that only software which has been designated safe is allowed to run; any code not included on the application whitelist is blocked from running.

Today’s malware is largely spread over the Internet, where it can do more damage more quickly than antivirus researchers can keep up with. But application whitelisting is effective against these so called “zero-day” threats – which spread quickly and usually disappear completely within 24 hours - and targeted hacker attacks in which unique malicious code is used.

So what’s the downside of application whitelisting? The solution is in the implementation. Some application whitelisting solutions need manual updates every time an application patch or update is issued – which is no more practical than a signature antivirus relying on multiple updates every day.

SafenSoft’s Host Intrusion Prevention System incorporates automatic application whitelisting with privilege sandboxing. This enables network administrators to establish a database of trusted programs – a truly functional application whitelist. The system can be locked down completely, or applications can be executed in a secure environment, or individual or group policies can be applied to enable certain applications be used for specific purposes and/or in specific circumstances only. Alerts are only generated when a new application is launched, not an updated or patched version of an existing trusted application.